Security Practices
We take the security of customer data very seriously at Playmatic. If you have additional questions regarding security, we are happy to answer them. Please write to security@playmatic.ai and we will respond as quickly as we can. The Security Practices page describes the administrative, technical and physical controls applicable to Playmatic.
Hosting and Architecture
Playmatic is available as a cloud-based service hosted on enterprise-grade infrastructure.
Cloud-based (hosted) services
The infrastructure for Playmatic is provided and hosted by Amazon Web Services, Inc. ("AWS") primarily in the `us-west-2` region. Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.
Playmatic uses services from Supabase, Inc. for authentication and user management. Information about their security practices can be found on the Supabase Security page.
For browser automation and test execution, we utilize services from:
• Browserbase: for browser automation infrastructure
• Hyperbrowser for alternative browser automation
• Steel for browser automation services
• Scrapybara for specialized testing scenarios
For application monitoring and observability, we utilize:
• Datadog for application monitoring, logging, and performance tracking
• Sentry for error tracking and performance monitoring
For payment processing, we use Stripe, Inc. for subscription management and billing. Information about their security practices can be found on the Stripe Security page.
For AI inference and test generation, Playmatic
• OpenAI's API platform for GPT models. Information about their security practices can be found at the OpenAI Enterprise Privacy page.
• Google Cloud Vertex AI for Gemini models
The above-mentioned third-party service providers constitute data sub-processors of Customer Content. These providers are essential to delivering Playmatic's services and are bound by strict data protection requirements and security controls.
All AI requests include test instructions, requirements, and relevant context needed for test generation.
Storage of Customer Test Data
Playmatic stores test definitions, configurations, and execution results in Supabase-hosted PostgreSQL databases. Unlike code repositories, we store:
• Test Instructions: Natural language test descriptions and requirements
• Test Configurations: Environment settings, resource configurations, and test parameters
• Execution Results: Test run outcomes, logs, and performance metrics
• Screenshots: Test execution screenshots stored in AWS S3 with time-limited access
• Resource Data: Encrypted storage of test credentials, API keys, and sensitive test data
• Repository Integration: When connected to GitHub repositories, Playmatic does not store source code content.
Storage of Customer Data
Playmatic stores user account information, team data, and test execution logs in Supabase-hosted databases. Members of the Playmatic team may access this data to provide technical support and troubleshoot issues. No authentication credentials are stored in Playmatic.
Data Types Stored:
• User authentication data (managed by Supabase)
• Test definitions and configurations
• Test execution results and logs
• Team and billing information
• API usage and analytics data
Access Controls: We maintain strict employee access controls with logged access to customer accounts. Access is only granted when necessary for support or system maintenance. All Playmatic API keys to access customer accounts are encrypted in storage and Playmatic cannot access the values of these keys. For dashboard access, Playmatic only uses trusted third party authentication methods (Google, Github) and uses Supabase Auth to manage the authentication setup.
Machine Learning and Data Usage
Data Processing for Machine Learning
Playmatic may collect and process usage data and customer content (excluding sensitive credentials and personal information) to improve our AI-powered test generation services. Before any such data is used for machine learning purposes, it is strictly aggregated and de-identified to ensure customer privacy and confidentiality.
Our de-identification process removes all personally identifiable information, customer-specific references, and sensitive data. We maintain strict controls to ensure that no raw customer data is ever used directly for machine learning training or model improvements.
Playmatic does not train on customer source code at any point.
Confidentiality and Security Controls
Confidentiality
Playmatic places strict controls over employee access to Customer Data. The operation of Playmatic requires that some employees have access to systems which store or process customer information.
For example, to diagnose problems customers are experiencing with Playmatic services, we may need to access customer accounts. These employees are prohibited from using these permissions to view Customer Data unless necessary. We have technical controls and audit policies to ensure any access to customer accounts is logged.
All employees and contract personnel are bound to our policies regarding confidentiality, and we treat these issues as matters of highest importance within our company.
Security Controls
• Authentication: Multi-factor authentication enforced for all administrative access
• Network Security: VPC isolation, security groups, and TLS encryption for all data in transit
• Database Security: Encrypted connections, row-level security, and access logging
• API Security: Authentication via Supabase sessions or shared secret headers
• Secrets Management: AWS SSM Parameter Store for encrypted storage of sensitive data
Return and Deletion of Customer Data
Within 90 days post contract termination, customers may request return of Customer Data stored by Playmatic (to the extent such data has not already been deleted by the customer).
Playmatic provides the option for administrators to delete all Customer Data stored by Playmatic at any time during a subscription term. Within 30 days of administrator-initiated deletion, Playmatic hard deletes all Customer Data from currently running production systems.
Playmatic-maintained backups of services and data may be destroyed within 90 days (backups are destroyed within this period, except that during an ongoing investigation of an incident such period may be temporarily extended).
Monitoring and Validation
Certificates
Playmatic is currently undergoing SOC 2 Type II certification.
Audits
To verify that our security practices are sound and to monitor Playmatic services for new vulnerabilities discovered by the security research community, our services undergo security assessments by internal personnel and external security firms who perform regular audits.
Personnel
Playmatic conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of Playmatic services.
For any other questions, please feel free to reach out to security@playmatic.ai, and we will get right back to you.
For more information about how we handle your data, please see our Privacy Policy.
© Playmatic, 2025